Category: SFP Secondary Cluster: Unexpected Entry Points
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Unexpected Entry Points cluster.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-489 | Active Debug Code | The product is released with debugging code still enabled or active. |
| CWE-491 | Public cloneable() Method Without Final ('Object Hijack') | A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in an unexpected state. |
| CWE-493 | Critical Public Variable Without Final Modifier | The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values. |
| CWE-500 | Public Static Field Not Marked Final | An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways. |
| CWE-531 | Inclusion of Sensitive Information in Test Code | Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know about the existence of these applications, it is common for them to contain sensitive information or functions. |
| CWE-568 | finalize() Method Without super.finalize() | The product contains a finalize() method that does not call super.finalize(). |
| CWE-580 | clone() Method Without super.clone() | The product contains a clone() method that does not call super.clone() to obtain the new object. |
| CWE-582 | Array Declared Public, Final, and Static | The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified. |
| CWE-583 | finalize() Method Declared Public | The product violates secure coding principles for mobile code by declaring a finalize() method public. |
| CWE-608 | Struts: Non-private Field in ActionForm Class | An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter. |
| CWE-766 | Critical Data Element Declared Public | The product declares a critical variable, field, or member to be public when intended security policy requires it to be private. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.